[Ach] bettercrypto.org certificate has expired today

Jeroen Massar jeroen at massar.ch
Wed Mar 8 14:53:40 CET 2017

On 2017-03-08 14:19, Hanno Böck wrote:
> On Wed, 8 Mar 2017 14:00:11 +0100
> Jeroen Massar <jeroen at massar.ch> wrote:
>> Indeed, the moving parts of Lets Encrypt are not so much fun. What if,
>> LE goes down for a few days because somebody DDoSses them to
>> nowhere... lots of unhappy websites there will be.
> If your ACME implementation is somewhat smart a few days shouldn't be an
> issue.
> You certainly shouldn't request a new cert just before the old one
> expires. What you should do is to request a new cert with a reasonable
> timeframe before your old one expires (one could probably argue forever
> what a reasonable timeframe is, but I'd say something between 10 and 30
> days). If it doesn't work because LE is down retry a bit later.

10-30 days functions now, but they want to reduce it to a lot less (10
days is one version).... lots of fun one day ;)

> There's however a related issue with OCSP and OCSP stapling, which is
> more critical and generally a big mess, because the OCSP stapling
> implementation in apache and nginx is horrible and they show no
> interest in fixing it.

And then add the headers to DNS for TLSA, and wait for TTLs to expire etc.

Anything Crypto is horrible ;)


More information about the Ach mailing list